Menu
What's New
By:
Filters

A major security flaw: username and password are passed openly

Moonbiter

Moonbiter

Elite
Joined
Apr 10, 2006
Posts
2,740
Location
Vilnius, Lithuania
Society
Ex Cons
Avatar Name
Luke Moonbiter Sinclair
As it was discovered in this thread https://www.planetcalypsoforum.com/forums/showthread.php?t=72331&page=4, EU launcher passes username and passoword openly as a command line parameters when launching "Entropia.exe". This means it can retrieved at any time as long as entropia.exe is running using any a bit more sophisticated process explored.

For example. Download this official MS utility http://www.microsoft.com/technet/sysinternals/ProcessesAndThreads/ProcessExplorer.mspx, launch EU and then right click on "entropia.exe" process and select "properties". You will see your username and password in the command line section.

I've notified MA support about this, it should be fixed asap. People with gold card are safe, but all others can be a potential victim of hackers, as it doesn't even take a keylogger to retrieve this information...
 
This is as old as PE... and it wont be fixed asap xD

...1st time I remember someone mentioned it, was more then 3.5 years ago. And I guess it was this way 4 and 5 years ago...


For example search for Etopias posts...he mentioned it a gazzillion times...
 
First I thought this was x-fire bs, but entropia.

I didn't like the "IE-clientloader" when I logged in for first time. This needs to get fixed, again some lazy coding from MA.
 
I like the feature that you don't have to retype the username and password in the client window everytime.

If you all want this problem fixed it means that we will have to type our login/password after we have clicked a "launch" button, in a similar way as we now type in our GC number. This is imo the only way to prevent sending data from the Client Loader to the 'game'.

Means relogging will take atleast twice as long.
 
EyeContact said:
I like the feature that you don't have to retype the username and password in the client window everytime.

If you all want this problem fixed it means that we will have to type our login/password after we have clicked a "launch" button, in a similar way as we now type in our GC number. This is imo the only way to prevent sending data from the Client Loader to the 'game'.

Means relogging will take atleast twice as long.
Click to expand...

Not true actually. The simplest way is for the client loader to send the username & password to the MA webserver via a secure connection (ie SSL) and the MA webserver adds it to the database and returns a session key. The client loader passes the session key to the EU client program which logs in with that.

But there are tons of other ways. Another option is for the client loader to get an encryption key from the MA webserver, which lasts about 5 minutes, encrypt the username and password, and pass the encrypted ones on the command line to the EU client. The EU client sends the encrypted ones over the net to access EU, and MA can decrypt at their end. Or the EU client can fetch the decryption key and decrypt them once it receives them.

There are a million ways to achieve security without impacting the user experience, but passing clear passwords is certainly not one of them :laugh:
 
Moonbiter said:
As it was discovered in this thread https://www.planetcalypsoforum.com/forums/showthread.php?t=72331&page=4, EU launcher passes username and passoword openly as a command line parameters when launching "Entropia.exe". This means it can retrieved at any time as long as entropia.exe is running using any a bit more sophisticated process explored.

For example. Download this official MS utility http://www.microsoft.com/technet/sysinternals/ProcessesAndThreads/ProcessExplorer.mspx, launch EU and then right click on "entropia.exe" process and select "properties". You will see your username and password in the command line section.

I've notified MA support about this, it should be fixed asap. People with gold card are safe, but all others can be a potential victim of hackers, as it doesn't even take a keylogger to retrieve this information...
Click to expand...

Nice research even it is public already. But as long as MA uses a vulnerable Browser within the Clientloader.exe, as long the logon procedure will remain vulnerable hence a good reason to finally get a GoldCard :D

anyways, +rep for "finding" ^^
 
Actually having a gold card will only prevent access.

If someone has your username and password they only have to put in 3 random number sequences which are wrong to lock our account because it would get your Gold Card out of sync. And that would be annoying to say the very least. There is then also the 3 in a million possability they guessed the right number sequences and gained access to your avatar and get ingame.

So make a support case. The more people will do that the more power we have to influence MA to solve it.

Cheers
Richard
(ingame Siam)
 
:censored::censored::censored::censored:


I didn´t know and i am amazed to see this is possible. I allready worn out my 2nd gold card so i don´t feel at all threathened but this put some remarks made by MA staff in a different perspective all again.

I can´t believe any gaming company makes security for their participants such a low priority. Smart hackers find their way anyway bit making this so easy is incredible dumb and irresponsible.

I expected more from MA then this disrespect shown towards players. I really want to make more positive remarks about the game but these issues keep switching balance yet again.

Free Gold cards for all participants ingame seems the most responsible way to act from ma standpoint since their programming puts players in this position.
 
As was pointed out, its been brought up many many times, many many years ago. Sure you could create a secure connection, encrypt the cached credentials but its not that hard to hijack SSL. If you have the money or the means to snag one of the many applications that do this, its as simple as right clicking and selecting take over connection. It even does the math for you and figures out the next sequence numbers! But anyway, the lesson here is spend the money on a gold card. Mindark could save themselves a lot of time that gets wasted on support cases "I GOT HACKED" if they simply included a gold card on your first deposit over $100. Either way, they have provided us a very secure way to prevent unauthorized access and to my knowledge, the gold card system has not been breeched. Being in the bank security arena, I'm pretty impressed how secure they have made it.
DO IT.:wtg:
 
I was worried until I thot, oh wait I have a GC ... but then I realised that someone could quite easily login to the EU website with my details and maybe at most make a big deposit for me lol

if we freaked out about all little windows/internet security issues we'd never get anything done
 
Nice that i have to buy a goldcard due to bad codewriting by MA. But its a nice one by them, they make bad codewriting so the players have to spend money on Goldcards, and MA gets some more cash in theire pockets!

Go MA:wtg:
 
Vap0r said:
Sure you could create a secure connection, encrypt the cached credentials but its not that hard to hijack SSL. If you have the money or the means to snag one of the many applications that do this, its as simple as right clicking and selecting take over connection. It even does the math for you and figures out the next sequence numbers!
Click to expand...

I never suggested this was adequately secure. Merely a quick fix for MA to overcome passing the login credentials on the command line from loader to client.

Of course the correct way to make it secure is to use a challenge response system which does not pass the login credentials over the net at all, only keeps them in the client loader, obtains a login token from the MA server, passes this to the client, which then uses it.

However, I am assuming MA would rather get a quick fix in place to solve the immediate problem, instead of leaving it as is, and taking several months to come up with a strategic solution.

I think the simplest quick fix would actually be for them to make no server change at all. Just get the loader to create an encryption key based on some moderately static feature of the client system, encrypt the uname and pwd with that key, and pass the encrypted data on the command line. The client can work out the same key and decrypt.

Of course it won't stop determined hackers, who will reverse engineer the code to determine how the key is constructed and then decrypt the command line parameters to get the credentials.

But we aren't talking about stopping determined hackers - we are talking about stopping freely available process monitoring software from accessing your account details, as opposed to hacking tools.
 
Dahlifyr said:
Nice that i have to buy a goldcard due to bad codewriting by MA. But its a nice one by them, they make bad codewriting so the players have to spend money on Goldcards, and MA gets some more cash in theire pockets!

Go MA:wtg:
Click to expand...

I think EVERYONE should buy a GC and Im almost sure MA makes nothing off selling them!
 
If you really want MA to fix it, write a tutorial how to hack someone with this bug and sent it to MA. Tell them they have 2 weeks till you post it here... That should make them fix it :rolleyes:
 
KP708 said:
Not true actually. The simplest way is for the client loader to send the username & password to the MA webserver via a secure connection (ie SSL) and the MA webserver adds it to the database and returns a session key. The client loader passes the session key to the EU client program which logs in with that.

But there are tons of other ways. Another option is for the client loader to get an encryption key from the MA webserver, which lasts about 5 minutes, encrypt the username and password, and pass the encrypted ones on the command line to the EU client. The EU client sends the encrypted ones over the net to access EU, and MA can decrypt at their end. Or the EU client can fetch the decryption key and decrypt them once it receives them.

There are a million ways to achieve security without impacting the user experience, but passing clear passwords is certainly not one of them :laugh:
Click to expand...

Afaik as long as the username and password are in the client loader this is still in memory and therefor accesible.

But let's face it, the only way this could be abused is when the client system is already compromised. And once a system is compromised the only limitation to what a hacker can do depends on his imagination.

I'm not defending MA here, there are indeed better ways to handle this, but it isn't as shocking as some people seem to think it is. It has been around forever (and ppl who want to hack probably already knew this).
 
OK im getting a bit cheesed now.. goldcard gold card goldcard... WHY should i buya $25 goldcard to protect MY MONEY and MY PERSONAL INFO cos MA are too lazy to do things properly.......

its almost a monopoly scam on security... your unsecure and we cant protect your info or assets until you buy the security from us and only us
 
MorbidX said:
OK im getting a bit cheesed now.. goldcard gold card goldcard... WHY should i buya $25 goldcard to protect MY MONEY and MY PERSONAL INFO cos MA are too lazy to do things properly.......

its almost a monopoly scam on security... your unsecure and we cant protect your info or assets until you buy the security from us and only us
Click to expand...

You've got a very big point there. Everyone really concernced about their security should get a GC, but even without it any participant should be safe enough... which is not the case apparently.

No answer yet yet from support yet... One more interesting thing, i'll just quite myself from the another thread:

Moonbiter said:
One more thing... even having a goldcard you're not totally safe. Here's and excerpt from the "important notes" that came together with GC:

"Should you wish to unregister your Smart Card, you can contact the Entropia Universe Support Dept. by going to the "Support" section of the Entropia Universe website and loging into the "My Support" section with your normal login and password. There we ask you to file a new Support Case under the "Account" category"
Click to expand...

:rolleyes:
Click to expand...
 
Moonbiter said:
One more interesting thing, i'll just quite myself from the another thread:
Click to expand...

This is correct. GC should be required for access to your account section of EntropiaUniverse.com as well.
 
With what Moonbiter said what's the point of having a GC? A hacker can just get MA to take it away.
 
ragethecorp said:
With what Moonbiter said what's the point of having a GC? A hacker can just get MA to take it away.
Click to expand...

You need a copy of any id document that matches the info present under the account details.

So unless you steal someones id you can't remove his GC.

Gold Card & Security FAQ said:
I do not wish to use the Gold Card System anymore. Please remove it.

Since the Gold Card System is meant to offer you the highest security possible, we cannot remove your Gold Card unless you send us a copy of your passport or other internationally aknowledged identification document to verify yourself as the true holder of the Entropia Universe account. Such documents should be sent by regular mail or fax to:

MindArk PE AB
Customer Service Department
Jarntorget 8
SE 413 04 Gothenburg
SWEDEN

FAX: +46-31-136016
Click to expand...
 
Cougar said:
You need a copy of any id document that matches the info present under the account details.

So unless you steal someones id you can't remove his GC.
Click to expand...

hmm well thank you. It would still get really annoying if they keep locking you out of EU by sending in 3 fake GC numbers.
 
Cougar said:
You need a copy of any id document that matches the info present under the account details.

So unless you steal someones id you can't remove his GC.
Click to expand...

Thanks for clarification, it really makes me feel much safer. I was concerned about the possibility to remove the GC by anyone who knows your username/password, even before this particular incident.
 
but your all missing the point.. i shouldnt HAVE to buy a goldcard to protect myself MA should do it anyway.

I dont want to be pushed to get a goldcard cos MA cant be assed to use a system which doesnt broadcast your details to anyone who hasd half a inkling how to gain access to your pc.

Essentially ma are saying "WE cant protect YOU unless you buy a goldcard"

Italian mafia, russian mafia, any organised gang say ..."WE cant protect YOU unless you pay us protection money"


anyone see the similarity ???
 
Cougar said:
You need a copy of any id document that matches the info present under the account details.

So unless you steal someones id you can't remove his GC.
Click to expand...


well, here it goes:

login to entropia website --> get the info needed -- open photoshop....

should I continue?
 
oh and not to mention a 3yr old can steal someones id... its not hard.

You can get all the info etc you need through the LEGAL routes to steal someones id

If i logged into someones account on EU website i could use the info there to start my ID theft... gimme a week or 2 (in that time you dont even know ive been on your account as i do nothing to it) and i cna have all the documents MA needs to remove GC. i send them. MA remove it... I "loot" your account... oh and opena few credit cards :D


its easy as hell.. and for those who doubt me..... i worked in credit card fraud dealing with ID theft and account takeovers... so dont underestimate my info :laugh:


plus it wont look like a photoshopped document itll be the real thing :)
passport,driving licence birth + marriage certificate the works

Now if MA want to make the goldcard better implent it for the website.. then ID theft is going to be very difficult using the website as then i couldnt get teh GC removed off the account
 
Last edited:
exactly, and it is not about a few mesos... how much modfaps go atm? some people do not make that much in a RL paycheck for the whole year even in US...
 
kygon said:
I think EVERYONE should buy a GC and Im almost sure MA makes nothing off selling them!
Click to expand...

I both agree and disagree on this (huh?). The need to buy a GC is an artificial one, created in part by MA's practice of leaving the customer wanting in regards security.

Turn this around -- what if NOBODY bought one. Who is responsible for securing our assets? Is it not MA themselves? As long as we "accept" the responsibility to secure the accounts, we perpetuate the need.

As soon as we say, "wait a second -- our investment in you requires that you belly up to the bar and safeguard it for us", we turn the tables around into expectations that are aligned with the rest of the world. When you deposit money in a bank, do they charge you for the vault? Do they charge you for the security cameras, silent alarms, and staff? When they are robbed do they tell you the robber took YOUR money? OF COURSE NOT -- Why then do we ALLOW mindark to charge us extra to provide what THEY should be responsible for?!?

So, in practical terms, I can see why GC's are a necessary evil, but nonetheless, the evil is MA's making, and they DO benefit -- if for nothing else, they benefit by being able to dodge responsibility for lacking even the most basic security.

For me, this is only an intellectual coin-toss, but I don't fault people for feeling so strongly about it. :shrug:
 
(reposted from this https://www.planetcalypsoforum.com/forums/showpost.php?p=867456&postcount=50 thread) this one seem smore active and more on topic with what i have to say.

seems to me MA really hasn't done their job here at all. with all the fears of hacking and MAs instance everything is secure this is pure disrespect on their part. they say get a gold card to be secure. little did we realize that they said that because they KNEW the back door was open!?!

okay, here is a analogy. a safe salesperson sells a safe to a buyer telling them that it has a combo lock built in, however they sell a much better one for only $20 more dollars. the buyer refuses, thinking the built in lock should be good enough, but they are not aware the combo is printed in a spot on the safe if you know where to look. so, you do need the fancy new lock to truly be safe with your things. and the salesmans knows it BUT doesn't share that lovely tidbit, because it makes him look bad.
 
All that has been say 200 behemotzillion time...
What has changed ?

I do bielieve now MA have no other way than improuve all this...
Remember about chinese , PR and security ?
They choise EU because hight security , and they whant , hight security.
Such a big open security hole will create for sure a very very big problem...
Snifer for eu login and pass are on the way...
Worst , is thats not a keyloguer its needed , and so , not detected by most AV or firewall...
Right now , since all is write clear as comand line , its way easier to steal EU password , than a freaking dumb forum acount....

To get rid of 20 or 30 asshole that live in romania , MA banned the whole contry... but , they wont ban whole china... and i am sure , there is same % of population in china that are asshole than romania...
Romania people are not more thief than other...
So , what will happen?

Yes MA , its now time to think a bit about your security.... Thats what you sell to china...
 
You must log in or register to reply here.
Back
Top